Building Trustworthy Semantic WebsOutlineOverview of MLS/DBMSSummary of DevelopmentsTaxonomy for MLS/DBMSsIntegrity LockOperating System Providing Mandatory Access ControlExtended KernelTrusted SubjectDistributed Approach - IDistributed Approach IISome Challenges: Inference ProblemSome Challenges: PolyinstantiationSome Challenges: Covert ChannelMultilevel Secure Data Model: Classifying DatabasesMultilevel Secure Data Model: Classifying RelationsMultilevel Secure Data Model: Classifying Attributes/ColumnsMultilevel Secure Data Model: Classifying Tuples/RowsMultilevel Secure Data Model: Classifying ElementsMultilevel Secure Data Model: Classifying ViewsMultilevel Secure Data Model: Classifying MetadataStatus and DirectionsMultilevel Semantic Web TechnologiesBuilding Trustworthy Semantic WebsDr. Bhavani ThuraisinghamThe University of Texas at DallasMultilevel Secure Data Management and its implications to Multilevel semantic web technologiesOctober 27, 2008OutlineWhat is an MLS/DBMS?Summary of DevelopmentsChallengesData Models Implications for semantic webOverview of MLS/DBMSWhat is an MLS/DBMSUsers are cleared at different security levelsData in the database is assigned different sensitivity levels--multilevel databaseUsers share the multilevel databaseMLS/DBMS is the software that ensures that users only obtain information at or below their levelIn general, a user reads at or below his level and writes at his levelNeed for an MLS/DBMSOperating systems control access to files; coarser grain of granularityDatabase stores relationships between dataContent, Context, and Dynamic access controlTraditional operating systems access control to files is not sufficientNeed multilevel access control for DBMSsSummary of DevelopmentsEarly Efforts 1975 – 1982; example: Hinke-Shafer approach Air Force Summer Study, 1982Research Prototypes (Integrity Lock, SeaView, LDV, etc.); 1984 - PresentTrusted Database Interpretation; published 1991Commercial Products; 1988 - PresentTaxonomy for MLS/DBMSsIntegrity Lock Architecture: Trusted Filter; Untrusted Back-end, Untrusted Front-end. Checksum is computed by the filter based on data content and security level. Checksum recomputed when data is retrieved. Operating Systems Providing Access Control/ Single Kernel: Multilevel data is partitioned into single level files. Operating system controls access to the filedExtended Kernel: Kernel extensions for functions such as inference and aggregation and constraint processingTrusted Subject: DBMS provides access control to its own data such as relations, tuples and attributesDistributed: Data is partitioned according to security levels; In the partitioned approach, data is not replicated and there is one DBMS per level. In the replicated approach lower level data is replicated at the higher level databasesIntegrity LockDatabaseTrusted Agentto computechecksumsSensorData ManagerUntrustedData ManagerCompute ChecksumBased on stream data valueand Security level;Store data value, Security level and ChecksumCompute ChecksumBased on data valueand Security level retrievedfrom the stored databaseOperating System Providing Mandatory Access ControlUnclassifieddeviceSecretdeviceTopSecretdeviceMultilevelData ManagerUnclassifiedDataSecretDataTopSecretDataExtended KernelMultilevelDataKernel ExtensionsTo enforce additional security policies enforced on datae.g., security constraints, privacy constraints, etc.MultilevelData ManagerTrusted SubjectUnclassifieddeviceSecretdeviceTopSecretdeviceMultilevelData ManagerMultilevelDataTrustedComponentDistributed Approach - IUnclassifiedData ManagerTopSecretData ManagerUnclassifiedDataSecretDataTopSecretDataTrusted Agentto manage Aggregated DataSecretData Manager UnclassifiedData ManagerTopSecretData ManagerUnclassifiedDataSecretDataTopSecretDataTrusted Agentto manage Aggregated DataSecretData ManagerDistributed Approach IIUnclassifiedData ManagerTopSecretData ManagerUnclassifiedDataSecret + UnclassifiedDataTopSecretSecret + UnclassifiedDataTrusted Agentto manage Aggregated DataSecretData ManagerSome Challenges: Inference ProblemInference is the process of forming conclusions from premisesIf the conclusions are unauthorized, it becomes a problemInference problem in a multilevel environmentAggregation problem is a special case of the inference problem - collections of data elements is Secret but the individual elements are UnclassifiedAssociation problem: attributes A and B taken together is Secret - individually they are UnclassifiedSome Challenges: PolyinstantiationMechanism to avoid certain signaling channelsAlso supports cover storiesExample: John and James have different salaries at different levelsEMPSS# Name Salary1 John 20 2 Paul 303 James 401 John 70 4 Mary 803 James 60LevelUUUSSSSome Challenges: Covert ChannelDatabase transactions manipulate data locks and covertly pass informationTwo transactions T1 and T2; T1 operates at Secret level and T2 operates at Unclassified levelRelation R is classified at Unclassified levelT1 obtains read lock on R and T2 obtains write lock on R T1 and T2 can manipulate when they request locks and signal one bit information for each attempt and over time T1 could covertly send sensitive information to T1Multilevel Secure Data Model: Classifying DatabasesEMPSS# Ename Salary D# 1 John 20K 102 Paul 30K 203 Mary 40K 20DEPTD# Dname Mgr10MathSmith20 Physics JonesDATABASE D: Level = SecretMultilevel Secure Data Model: Classifying RelationsEMP: Level = SecretSS# Ename Salary D# 1 John 20K 102 Paul 30K 203 Mary 40K 20DEPT: Level = UnclassifiedD# Dname Mgr10MathSmith20 Physics JonesMultilevel Secure Data Model: Classifying Attributes/ColumnsEMPSS#: S Ename: U Salary: S D#: U 1 John 20K 102 Paul 30K 203 Mary 40K 20DEPTD#: UDname: U Mgr: S10MathSmith20 Physics JonesU = UnclassifiedS = SecretMultilevel Secure Data Model: Classifying Tuples/RowsEMPSS# Ename Salary D# 1 John 20K 10 U2 Paul 30K 20 S3 Mary 40K 20 TSDEPTD# Dname Mgr10MathSmith U20 Physics Jones CLevel LevelU = UnclassifiedC = ConfidentialS = SecretTS = TopSecretMultilevel Secure Data Model: Classifying ElementsEMPSS#: Ename: Salary D#:1, S John, U 20K, C 10, U2, S Paul, U 30K, S 20, U3, S Mary, U 40K, S 20, UDEPTD#: UDname:
View Full Document